From Jeff Schilling, CSO, Armor:
A good security awareness program should not be considered a once-a-year activity to achieve a checkmark for a compliance standard. It needs to have activities on a frequent basis and contain a variety of elements (i.e. newsletter, test phish email, lunch and learn sessions, email tips, physical security checks, clean desk review, etc.) to maintain currency and relevancy. Since technology cannot protect us or our users all the time, a good awareness program’s goal is to encourage others to develop good security habits.